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Abstract. Cheng and Wan have related the decoding of Reed-Solomon codes 
to the computation of discrete logarithms over finite fields, with the aim of 
proving the hardness of their decoding. In this work, we experiment with 
solving the discrete logarithm over F^h using Reed-Solomon decoding. For 
fixed h and q going to infinity, we introduce an algorithm (RSDL) needing 
0{h\ ■ q^) operations over Vq, operating on a g X g matrix with (h 2)q non- 
zero coefficients. We give faster variants including an incremental version and 
another one that uses auxiliary finite fields that need not be subfields of ¥^h ; 
this variant is very practical for moderate values of q and h. We include some 
numerical results of our first implementations. 



1. Introduction 

The fastest known algorithms for computing discrete logarithms in a finite field 
FpTi all rely on variants of the number field sieve or the function field sieve. The 
former is used w hen n = 1 (see |Cxor93l ISMl ISWD96I IVMMI [71081 ISMl [CS06] ) 
or p is medium ( [JLSV06j improving on }JL06] ) . The latt er is used for fixed p and 
n going to in finity (s ee |Adl94l IAH991 [JL021 lGHP+04) and |Cop84| for p = 2 
generalized in [Sem98) ). Some related computations are concerned with computing 
discrete logarithms over tori [GVOSaj . All complexities are Lpn[c, 1/3] where as 
usual 

[c, a] = exp ( (c -f o( 1 ) ) (log x)" (log log x) ^ ) 

as X goes to infinity, c > and < a < 1 being constants. 

Traditional index calculus methods over F^h — ¥q[X]/{Q{X)) (where Q has 
degree h) look for relations of the type 

n 

(1) X"modQ(X)=:P(X) = []p,(Ar-, 

1=1 

where u varies and the pi belong to a factor base B containing irreducible polyno- 
mials in ¥q. The polynomial P{X) generically has degree h — 1, and we must find 
a way to factor it over B using elementary division or sieving techniques. This col- 
lection phase yields a linear system over 'E/{q^ — 1)Z that has to be solved in order 
to find log Pi. Very often, the system is sparse and suitable methods are known 
(structured ehmination, block Lanczos |Mon95| . block Wiedemann |Cop94| ). 

The second phase {search phase) requires finding a factorization of A"/(A), 
where we want the discrete logarithm of /(A). 

Our aim in this work is to investigate the use of decoding Reed-Solomon codes 
instead of factorization of polynomials in the core of index calculus methods, follow- 
ing the approach of |CW07|. ICW04| . Superficially, the code-based algorithm (called 
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RSDL) replaces relations of the type ([T]) by 

X" = fA{X) := n - Q{X), 

aeA 

where A is a subset of a fixed set S C F^h . Such a relation exists if and only if 
X" mod Q{X) can be decoded. In case of successful decoding, the set A (or its 
complement) is recovered via factorization. If S has cardinality n, fA{X) will be 
of degree n — h, which highlights one of the differences with a classical scheme. 

It will turn out that taking S — ¥q, so that tt, = is often the sensible choice 
to do and therefore our method is interesting in the case q relatively small. Very 
much like in Gaudry's setting |Gau09| . we will end up with a method of complexity 
0{h\ ■ q^) operations over F^, for fixed h and q tending to infinity. The dependency 
on h can be dramatically lowered using a variant based on helper fields, auxiliary 
finite fields that need not be subfields of W^h , making the variant very practical for 
moderate q and h. 

The article starts with a review of the theory and practice of Reed-Solomon codes 
(Sections [5] and [3]). Section|3]comes back to the computation of discrete logarithms. 
The analysis will be carried out in Section [5] In Section |6l we give an incremental 
version of our algorithm, which is faster in practice. Section [7] will be concerned 
with the use of helper fields and their Galois properties. 

2. Reed-Solomon codes 

2.1. Definition and properties. Let F be a field, and S — {xi,X2, ■ ■ ■ ,Xn} C F" 
be fixed, with Xi ^ Xj for i ^ j. Define the evaluation map: 

evs -.FIX] 

r{X) ^ {r{xi),...,r{xn))- 

For a given 1 < fc < n, the Reed- Solomon code Ck over F , with support S and 
dimension k is 

{ev5(r(X))| r{X) G F[X],degr(X) < fc} C F", 

and the set S is called the support of the code, see [Rot06j It is a linear code whose 
elements are called codewords. The (Hamming) distance between y, z G F is 

d{y,z) = \{i e [l,n] \ y, Zi}\ , 

and r{X) is at distance r from y — (yi,...,y„) if d{evs{'r{X)),y) < r. The 
minimum distance of a general code is the smallest distance between two different 
codewords, and the minimum distance of Ck is known to be equal to d = n — k+l. 

2.2. The decoding problem. Given Ck as above, the decoding problem is: given 
y £ F", and r < n, find the codewords c Ck within Hamming distance r of y. 
This problem and its complexity depend r. It is a NP-complete problem [GVOSbj 
for general finite fields, n, k and r. 

For Reed-Solomon codes, this amounts to finding, for any y G F", the set: 

Fr{y) = {r{X) G V[X]\ deg/(X) < fc, d{eYs{r{X)),y) < r}. 

A given algorithm is said to decode up to r if it finds Fr{y) for any y. If t > n — k 
tall solutions can be found by Lagrange interpolation, and there are (")(?'°^"^^ of 
them. On the other hand, when r is small enough, we have: 
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Proposition 1. (Unique decoding) Let k be fixed and let t < [-^^^J- Then, for 
any y £ F", one has \Fr{y)\ < 1. 

The decoding problem is a list decoding problem when [^^^J < t < n — k, and 
an a priori combinatorial problem is to determine how large is the size £ of Fr{y), in 
the worst case over y. Of interest is to find r = r(rt, k) such that £ = £{n, k) is small 
and T = [n — \/ {k — l)nj was achieved, in the breakthrough papers jSud971 IGS99) . 
In the present paper, we consider only unique decoding, since unique decoding 
algorithms are simpler and faster. 

3. A FAST ALGORITHM FOR UNIQUELY DECODING ReED-SOLOMON CODES 

Among the many algorithms for decoding Reed-Solomon codes, we have focused 
our attention on a variant of the Euclidean algorithm of |SKHN75] . This version is 
due to Gao jGao02l . 

Let y — (yi) G F" to be decoded, c — (q) G Ck be at distance r from y, if it 
exists, e ^ y ~c — (e^) the error vector, and E — {i\ei ^ 0}. The locator polynomial 
of e is v{X) — HieB^"^ ~ ^»)' ^^'^ decoding problem often reduces to finding 
this polynomial. Given a decoding radius r, the correct behaviour of a decoding 
radius is to report failure, when the number of errors is larger than r. The following 
algorithm is correct for Reed-Solomon codes and r = [^^^^J (unique decoding). 

3.1. Gao's algorithm. For convenience, we reproduce Algorithm la in |GaoQ2) . 

We let (xi) be the support of the code and (y^) a received word. Remember that 
k = n — d + 1. In our case, we will have k c^i n and therefore d small. We denote 
by PartialEEA(so, Si, D) the algorithm that performs the euclidean algorithm on 
(so^si) and stops when a remainder has degree < D. In other words, when this 
algorithm terminates, we have computed polynomials u and v such that 

So{X)u(X) + s^(X)v{X) = g{X) 

where g is the first remainder that has degree < D. We note P{X) ^ X^ for the 
quotient oi P{X) by X^ . 

Algorithm la 

INPUT: (xO G F", (y,) G F" 

OUTPUT: the error locator polynomial in case of successful decoding; failure 
otherwise. 

Step 0. (Compute G) Compute G{X) = Yt,^^{X - x,). 

Step 1. (Interpolation) Compute I{X) such that I{xi) ~ yi for all i. 

Step 2. (Partial gcd) Perform PartialEEA with inputs so = G ^ X'^ (of degree 

d-l), si = I ^ X^ (of degree <d-2),D = {d- l)/2, at which time 

u{X)so{X) + v{X)s^{X) = g{X) 

with deg(g) < (d- l)/2. 

Step 3. (Division) divide G{X) by v{X) to get G{X) = hi{X)v{X) +r{X). If 
r = 0, return v[X)^ otherwise return failure. 

The original algorithm adds another step for recovering the codeword in case of 
success, but we do not need it for our purposes. In our case, we will need to factor 
v{X) to get the error locations. 
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This algorithm has been analyzed in [CY08| . where fast multiplication and god 
algorithms are considered (for the characteristic 2 case). We briefly summarize the 
results. 

Let M(n) be the cost to perform a multiplication of two polynomials of degree n 
with coefficients in F, counted in terms of operations in F. Following the algorithms 
of |GG99] . we find that Step costs 0(M(n)) and Step 1 costs 0{M{n) logn). Step 
2 requires computing G{X)-^X'' and I{X)^X^ , which is just coefficient extraction. 
PartialEEA requires 0{M{d) log d) operations (note that precise constants are given 
in |CY 08| ) . Step 3 requires a division of a polynomial of degree n by one of degree 
d < n, which costs 0(M{n)). The cost of computing the roots of v{X) will depend 
on the base field. 

3.2. Improvements. 

3.2.1. Computing G. We may compute the highest terms of G ^ X'' in time 0{M{n)) 
(with a small constant, since the last step in the product tree will be computing 
the highest terms). 

3.2.2. Interpolation. The input to the PartialEEA is 

71 n 

s^{x) = i{x) ^x^ = Y, yt-)^^^^^^ - ^1 = E y^^' w- 

Note that the Hi{X) are polynomials of degree < d—2. We can compute Ii{X)~X'' 
by appropriately modifying the last step of the algorithm using product trees, so 
as to compute only the higher order terms of Ii{X). This will not modify the 
complexity, but will decrease the constant. 

3.2.3. Reusing data. If the Xi are fixed (this will be our case), then G{X) can be 
precomputed (and sq deduced from it), as well as G'{xi). The polynomials Hi{X) 
can also be precomputed. Instantiating the formula for si{X) will require 0{nd) 
operations, which is interesting when d is much smaller than n. 

3.3. The special case S = Fg. 

3.3.1. First simplifications. We can write the cost of our modifications of Algo- 
rithm la as follows 

Tg + Tg^xI' + Tj^x'' + TpEEA + Ty\Q-i, 

where the notation Tx should be selfexplanatory, the last one accounting for testing 
whether v | G. Since G{X) =Xi -X, we have Tq = 0(1) and Tg^x" = 0(1). 

Since S may be seen as an arithmetic progression, computing / or Tj^xf^ costs 
0{M{n)) using the techniques of |BS05) . We still have Tpeea = 0{M{d) logd). 

3.3.2. Discarding v. Step 3 amounts to checking whether v{X) factors into linear 
factors. The ordinary algorithm requires division of G{X) by v{X) and in case of 
success, finding the roots of u(X). 

When q is very small, we can find the roots oiv{X) in ¥q via successive evaluation 
of v{a) for a € Fg in 0{q) additions. This cost would therefore be neglectible. 

For larger q, we can use the Cantor-Zassenhaus or Berlekamp algorithms, starting 
with the computation of X"^ mod v a,t a cost of 0{AI{d) log q). In that case, we can 
speed up the factoring process of v{X) when needed (storing X^'^"^^/^ for future 
use when q is odd, etc.). The test v \ G will cost 0{M{d) log q) for all relations, and 
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in case of success, will be followed by the total cost to find (d — l)/2 roots, that is 
to say 0{dM{d) log (7) operations (assuming gcd to cost less than exponentiations). 
Also, some product tree of the w's could be contemplated. 

We can discard some polynomials v{X) by using Swan's theorem |Swa62] . via 
computation of the discriminant of v{X), for a cost of 0{M{d?)) operations. 

3.3.3. Final cost. In summary, we find 

Tg = 0(1), Tg^x^ = 0(1), Tj^x^ = 0{M(q)), 

TeEA = 0{M{d) logd), Tx. mod V = 0{M{d) logQ), Troots = 0{dM{d) log 9). 

4. Discrete logarithms 

4.1. Connection with decoding Reed-Solomon codes. Consider F^h realized 
as V q[X]/ {Q{X)), and let S be any subset of F^h, such that Q{a) ^ for any a € S, 
and n — \S\. Let S"^ the set of subsets of size /i of S. For A G 5"^, define 

fAiX)^Y[{X-a). 

aeA 

We extend |CW07j in a more general context: the field is not necessarily finite, and 
Q{X) is not irreducible. Indeed, }CW07| considered only finite fields, and S C ¥q. 

Theorem 2. Consider F / K a field extension. Let he fixed a monic Q{X) G -ft'i-'^], 
with deg(5(X) = h, and S d F have size n, such that Q{a) ^ for all a E S. Let 
1 < /i < n. For any f{X) G -^'[-'i']; deg/(X) < /i, there exists A G S^, such that 

(2) J[{X-a) = f{X) mod Q[X) 

aeA 

if and only if the word 

y^evs {-f{X)/Q{X)-X'^) 

is exactly at distance n — fi from the Reed-Solomon code Ck of dimension k = fi — h 
and support S . All the sets A such that (0j holds can be found by decoding y up to 
the radius n — fi. 

Proof. Let f{X) G K[X] be given, deg/(X) < /i, and suppose that there exists 
A G Sfi, such that HaG/iC^ — a) = f(x) mod Q{x). Then there exists t{X) G 
degt{X) — ^ — h = k, such that JloeAC^ ~ = fi^) + t[x)Q{x). We remark that 
t{X) is monic, and we write t{X) ^ X^ + r{X), with degr(X) < k. Then 

f{X) + {X^ + r{X))Q{X) = n - «)' 

aeA 

which implies that r{a) = —f{a)/Q{a) — a'^ for a € A. Since \A\ — fi, the word 
evs {-f{X)/Q{X) - X'') is at distance n - ^ from evs{r{X)) G Ck- 

Conversely, if evg (^—f(X)/Q{X) — X'^^ is at distance exactly n — ji from Ck, 
there exists A G S*^ and r{X) with deg r{X) < fc, such that r (a) = —f{a)/Q{a) — 
for aeA. Then 

n - «) I I{X) + (X^ + r{X))Q{X), 

aeA 

and the equality of the degrees imply the equality, 

\{{X-a)= f{X) + (X'^ + r{X))Q{X) 

aeA 
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which is a relation of type ([2]). □ 

Remarks. When /i and k are such that n — is half the minimum distance of Ck, 
the mapping 

Ae S^,^ YliX - a) mod Q{X) 

aeA 

is one-to-one, since we have unique decoding. Furthermore, when S C ¥q, the 
number of relations of type ([2]) is (^) , and the probability of finding one is thus 
/q'^ when f{X) e Fg[X] is picked at random of degree less than h . When some 
elements of S lie in some extension of F^, the probability is more intricate because 
of the action of the Galois group, see Section [T] 

4.2. The RSDL algorithm for computing discrete logarithms. The basic 
idea is to decompose polynomials using decoding of Reed-Solomon codes in the 
inner loop. For ease of presentation, we suppose that F = F^h . In Section [71 we 
will present a more general setting. 

INPUT: a) F^^ = Fq[X]/{Q{X)) where Q{X) is primitive of degree h over F,,; 

b) Two parameters n and fi, describing a Reed-Solomon code [n, fc = ii — h,d = 
n — k + I]; a subset S of F^h of cardinality n. 

OUTPUT: the logarithm log„(w - a) for all ae S. 

Step 1. (Randomize) Compute f{X) — X"^ mod Q{X) for a random u. 

Step 2. (Decode) Find A e 5*^ such that 

fA{X) = f{X) modQ(X) 
using decoding. If this fails then pick another random u. 

Step 3. (Recover support) given the error-locator polynomial v{X), compute fA{X) — 
G{X)/v{X) — YlaeAi-^ ~ '^)' from which we get the relation 

u = log(aj — a) mod (q'^ — 1). 
If we have less than n relations, goto step 1. 

Step 4. (Linear algebra) solve the n x n linear system over Z/((7'' - 1)Z, which 
yields the logarithms of log(cLi — a). 

From ,fA{X) = G{X)/v{X), we can rewrite a relation as 

X"u(X) = G{X) mod Q{X). 

The corresponding row of the relation matrix will have as many non-zero coefficients 
as the degree of v, which will be shown to be small. 

The search phase (finding individual logarithms) follows the same scheme. 
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4.3. Numerical example. Consider F133 = ¥i3[X]/{X^ + 2X + 11). We use 
(n, fc, = (13, 7, 10), which gives d = 7. The support is 5 = {0, 1, ... , 12}. The 
probabihty of decomposition is w 0.1302. We find for instance that 

X^^ = X^ + 9X + 1 mod {Q{X), 13). 

We have to decode the word: 

y = eYs{-X^yQ{X) - X^) ^ (7, 1, 1, 0, 1, 3, 6, 8, 9, 12, 4, 11, 10). 

The PartialEEA procedure yields 

u{X) X^ + 5X + 3, v{X) ^5X^ + 2X^ + 3, g(X) = 7X + 6, 

And the polynomial v factors as {X — 3){X — 8){X — 12), so that 

X^^X - 3){X - 8){X - 12) = G{X) mod {Q{X), 13). 

Write 13'^ — 1 = 2^ • 3^ • 61. Logarithms modulo 2^ and 3^ are easy to compute. 
The matrix M modulo 61 is given in[TJ Its kernel is generated by 

V^{l 3 52 24 57 9 41 54 42 27 41 35 5 36 )*. 

Computing the logarithm of X^ + 1 is done using the relation 

{X^ + 1)X = G{X)/{{X{X - 2){X - 8))) mod Q{X) 

and therefore 

\og{X^ + 1) = 417, 

using the Chinese remaindering theorem. (Note that this is a toy example, the 
logarithm of X^ + 1 could have been computed in different ways, factoring it over 
the factor base directly for instance.) 
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Figure 1. Matrix modulo 61 for the example. 
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4.4. Algorithmic remarks. The inner loop of the algorithm is the computation 

followed by the interpolation of y on the support, to get I{X). We can greatly 
simplify the work by noting that 

Lemma 3. Let Q{X) the inverse oj ~Q{X) modulo G{X). Then 
I{X) = {f{X)Q{X) mod G{X)) - 

Since Q{X) is computed only once, the cost of evaluating I{X) is just 0{M{n)). 
From a practical point of view, this is multiplication by a fixed polynomial modulo 
a fixed polynomial, a very well known operation that is very common in computer 
algebra packages (in particular NTL). 

Moreover, this result shows that we do not need the explicit points of the support, 
but rather their minimal polynomial(s). This will be the key to the incremental 
version of Section [HI 

5. Selecting optimal parameters 

5.1. Unique decoding. Given q and h, we aim to build an optimal [n, k,n — k + l]q 
Reed-Solomon code for finding relations While Theorem [5] was used in |CW07] 
in a negative way for proving hardness of decoding up to a certain radius, we 
consider it in a positive way for solving discrete logarithm problem using unique 
decoding. We will consider list decoding in a subsequent work. 

Proposition 4. In the context of Theorem to be able to use a unique decoding 
algorithm of the code C^, the parameters should be chosen as follows: t — h, 
fi = n — h, and k — n — h. 

Proof. For Reed-Solomon codes, unique decoding holds for r = [^^^^^^J. From k = 
fi — h^n^T — h, it follows that t = h. □ 

It should be noted that fi and r play a symmetrical role. 

5.2. Analyses. 

5.2.1. Set up. For any integer s > 0, we assume that any elementary operation 
over Fgs takes 0{M{\ogq^)) — 0{M{s)) operations over F,. In the same vein, an 
operation over 1,/{q^ — 1)Z takes M{s) operations over Fg. Given that t = h and 
d = 2/i -f 1, we will write our complexities in terms of h (which is the degree of the 
error-locator polynomial v{X)). 

The typical analysis involves the probability vo to get a relation (here getting a 
decoded word). Since we need n relations, each relation is found after 1/w attempts 
and c operations, leading to 0{n^c). Using the decoding approach of Section [31 
we see that a more precise count is 

Tg + Tq^x'' + 1^ — {Tj^x'' + TeEA + T.v\G?) + nTroots, 

where we account for reusing G and G X^ and perform root searching of v only 
in case of success. 
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The cost of solving a n x n linear system with h non-zero coefficients per row 
is 0{h ■ n^) operations over Z/{q^ — f)Z, yielding 0{h ■ n? ■ M{h)) operations over 
coefficients of size log q. 

We will be fixing h and letting q go to infinity. 



5.2.2. The ordinary case. In case S is ordinary, that is 5 C F^h, all polynomial 
operations are to be understood in ¥gh . We inject the complexities of Section |3l 
We have Tg = 0{M{n)). The additional cost will be 

O (^n^ {M{n) + M{h) log h + M{n)) -t- nhM{h) log q^ M{h) 

so that the total cost is 

O ( in^ {M{n) + M{h) \ogh) + nhM{h) \ogq + h ■ nA M{h) 



5.2.3. The case S C ¥q. This implies that n < q. Moreover, With Q = q'\ we get 

^ L-r) O 

Q Q Q Q ^ h\-Q' 

since h is fixed. 

Using the fact that most of the operations are performed in ¥g, instead of F^h, 
we obtain 

O (^n^ {M{n) + M{h) \ogh) + nhM{h) logq^ + 0{h ■ n^M{h)). 

If ri > logq and n > h, this simplifies to 

O {h\{q/nfnM(n)) + 0{h ■ n^M{h)), 

and the first term always dominates. In order to have something not too slow, we 
are driven to taking n ~ q, for a cost of 

0{h\ ■ qM{q)) + 0{hM(h) ■ q^) = 0{h\ ■ qM{q)) = 6{q^). 

Note that both costs are asymptotically 0{q^), but with different constants. We 
cannot balance these two phases easily, since h and q are given. The only thing we 
can do is relax the condition n < q using Galois properties (see Section [7|). 

We call RSDL-FQ the corresponding discrete logarithm algorithm with S — ¥q. 
One of the advantages of this algorithm is to operate on qx q matrices with 2q + hq 
non-zero coefficients, so that a typical structured Gaussian elimination process will 
be very efficient. 

Proposition 5. For fixed h and q tending to infinity, the algorithm RSDL-FQ has 
running time 0{h\ ■ qM{q)) and requires storing 0{q) elements of size ft. log g. 

As a corollary, we see that the interpolation step dominates. This motivates the 
following Section, where this cost is decreased. 



10 



D. AUGOT AND F. MORAIN 



5.2.4. Looking for a suhexponential behavior. It is customary to search for areas in 
the plane (log g, h) yielding a suhexponential behavior for the cost function. The 
analysis of the previous section works also in case h n. The cost being 0{h\ ■ q^), 
we look for < a < 1 such that 

2 log q + log - c(log Q)" (log log Q)i-" . 

Making the hypothesis that h ^ log q implies 

2i^~c(log Q)"(loglogQ)i-", 

or 

2iogQ y- 

VcloglogSy 

In turn, 

/ 2Mogg y^" 2iogg y/"-^ 

Vclogloggy ' ■ ■' Vcloglog(?y 
In order to respect the hypothesis h ^ logg, we need a > 1/2, and 1/2 is possible. 

6. The incremental version of the algorithm 

The idea of this variant is to use f{X) = for increasing values of u, so that 
we can compute the interpolating polynomial for u + 1 from that of u, noting that 
I{X) is the real input to Algorithm la. We first explain how to do this, and then 
conclude with the incremental version of our algorithm. We cannot prove that using 
these polynomials lead to the same theoretical analysis, but it seems to work well 
in practice. Note that the search phase can benefit from the same idea. 

The following result will help us interpolating very rapidly, and is a rewriting of 
Lemma |3l 

Proposition 6. For u an integer, put fu{X) = X'^fo{X) = Ch-iX^^^ + •■• + 
Co mod Q{X) and /„ the interpolation polynomial that satisfies Iu{xi) — yi for all 
i. Then 

lu+i = XI{X) + X'^'+i -X^ + Ch-1 mod G{X). 

For the convenience of the reader, we give a description of the incremental oper- 
ations performed in the relation collection phase. We claim that we no longer need 
past the initial evaluation. 

procedure StartDecodingAt(/o, (xi)) 

0. Precompute G{X) = lYLii^ - x^); Q{X) = -l/Q{X) mod G{X)- f = /o; 

1. [first interpolation for u — Q-] I := Qf mod G{X) — X^\ 

2. for u := 1 to g'' - 2 do 

c — coefficient of degree /i — 1 of /; 
{ update / } 

/ = {XI + X^+^ - X^ + c) mod G; 
{ update / to A"+i mod Q{X) } 
f^Xf mod Q{X)- 

if y can be decoded with error- locator polynomial v{X) then 
compute v{X) = Y^^i{X — a), set A = S — {e^}, 
store (u, {ci}) corresponding to the relation 
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X" EE /^(X) mod Q(X) or = G(X) mod Q(X). 

Note that the storage is minimal, we need to store u and h elements of ¥q for 
each relation. The corresponding row in the matrix modulo P \ q'^ — 1 will contain 
one integer modulo P with h values equal to 1. 

The analysis of this very heuristic version is similar to that of the original version: 
we replace some 0{M{n)) by 0{n) in the updating step for /. We find the same 
cost. From a practical point of view, we gain a lot, since all operations are now 
linear inn = q. It is all the more efficient as G{X) = X'' — X and reduction modulo 
G costs 0(1) operations. 

7. Galois action 

This section is devoted to the case S (/_ ¥q, with the idea of increasing the 
probability of finding relations by using helper fields. It turns out that S and the 
relations must be Galois stable. This is not exactly the same effect as obtained in 
the NFS/FFS case (see for instance |JL06| ). but it results in smaller matrices. 

7.1. Galois orbits. We state the property in full generality, for a general field K . 

Theorem 7. Let F/ K be a Galois extension, and Q{X) G ^^^[X] have degree h. 
Let II > h be an integer. Let f{X) G ^^[X], deg/(X) < fi, such that there exists a 
unique A € S^, such that 

f{X)=lliX -a)uiodQiX). 

aeA 

Then A is stable under Gal{F/K). 

Proof. We have UaeAi^ - a) = /(^) + tiX)Q{X), for some t{X) e F[X]. Then, 
for any cr G Ga.\{F/K), we find: 

all[{X-a)]= fix) + a{t{X))Q{X), 

\a£A J 

where the action of a is naturally extended to polynomials. Writing a{t{X)) — u{X) 
for some u{X) G F[X], and since a{f{X)) — f{X), we get 

Y[iX~ a(a)) = f{X) + uiX)QiX), 

aeA 

i.e. 

YliX a(a)) = fix) mod Q(X). 

aeA 

From the hypothesis of the unicity of A, we have cr(A) = A. □ 

To use the decoding correspondence, we fix a set S C F such that relations of 
type @ are sought for sets A (Z S. Then, we can enforce the uniqueness condition 
by fixing the parameters n = \S\, and fi to have "unique decoding", i.e. — n — h. 
From the previous Theorem, S must be a union of orbits under Gail{F/K). We 
collect these orbits by their size, i.e. 

e 
i=l 
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where Si is the union of the orbits of size i contained in 5*, and e is the maximal 
orbit size. Defining rii = \Si\, then n ~ X]i^=i ("Ij ■ • • j^-e) is a partition of 

n with restricted summands. Given e and n, we call the set of such partition set 
for short, and its size is asvmptoticallv [FS09j 



e!(e- 1)! 



Before going further, let us mention that F/K does not need to be a subfield of 
K[X]/Q{X)^ and the following diagrams are perfectly valid for Theorem[7]to hold 
and for all the considerations in this Section. 



K[X]IQ{X) 



K 



SdF 



Sc¥„ 



Proposition 8. Let S — U^^^Si, with rii — \Si\, n — X]i=i*^i; '^^'^ suppose that 
unique decoding holds for the parameters n and /i. Then the number of relations (0j 
is 



^e(M) = E n 



Proof. Consider a partition (/ii, . . . /ie) of ^, ^ = /j,i + 2/i2 + - • • + e/ie, and for each i, 
pick orbits of size i in S, and consider their union Oi. Then 11^^=1 IlaeO ~ ^) 
is a decomposition of type ([2|) of size /i, which is Galois stable. Conversely, given 
a relation naGA("'^ ~ ^) mod Q(^), with \A\ = n, Theorem [7] indicates that A is 
Galois stable. For each i, letting Oi be the set of elements of A with orbit size equal 
to i, and fii — \Oi\, we can write 

A = Oi U • ■ • UOe, 

with /X = /xi + 2/i2 + ■ • • + efie, i.e. a partition of fi. The enumeration formula follows, 
by considering that there are (^') ways of choosing fii orbits between n^. □ 

Then, given F„h , in the above situation, the probability of finding a relation is 



qh qh 



E n 



y{hi,...,h,)eP^ 1=1 
from the symmetry of /i and t = n — /j,, and using t = h 




7.1.1. Example: n ^ q'^ . We choose S = F^e, Si being the set of all elements in S 
whose orbits under Galois have size i. Then = i ^ Q^/h if * | e, and 
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h 


3 


5 


7 


11 


13 


31 




67 




1/hl 


0.167 


0.00833 


0.000198 


2.51 10-« 


1.61 10-^" 


1.22 10- 


-34 


2.74 10" 


-95 


C2{h) 


0.667 


0.217 


0.0460 


0.000895 


9.13 10-^ 


4.46 10- 


16 


2.36 10 


-45 






0.175 


0.0697 


0.00356 


0.000783 


1.13 10- 


-11 


1.32 10" 


-31 


Ci{h) 




0.467 


0.213 


0.0333 


0.0113 


3.24 10- 


-8 


1.03 10 


-•n 


ce{h) 






0.407 


0.117 


0.0605 


1.48 10- 


-5 


4.11 10" 


-15 


cs{h) 








0.117 


0.0696 


9.79 10- 


-5 


5.71 10" 


-VI 


Cg{h) 








0.0591 


0.0424 


9.06 10- 


-5 


1.76 10- 


-11 


Cl2{h) 










0.227 


0.00384 




6.67 10- 


-8 



Figure 2. The constants l//i!, Ce(/i), for e = 2,3,4,6,8,9, 12, and 
h = 3,5,7,11,13,31,67. 



zero otherwise. For h constant and growing g, we get a probabihty of 

--^ E ri(;;; 

\(h^,...,K)eP^ *=i ^ 

~ ^ E n 

\(/!.l,...,/le)6P^ « = 1 



1 / ^ qif^i 

^ \(hu...,h^)eP^ 1=1 '\ 

^ J_ I \^ M+2h2 + - + eh, TT \_ 

^ \(h^,...,h^)eP- »=1 

(hi,...,/i,)G-P= »=1 

which does not depend on q. This is much higher than l//i!, see Tabled 



7.2. Practice. Since S = F^e, we have G{X) = X'^ —X. Decoding over S amounts 
to testing divisibihty of G{X) by an error-location polynomial v{X) whose roots are 
conjugate under the Frobenius, since S and the corresponding A are. This means 
that v{X) is a product of minimal polynomials of elements of 5*. In other words, we 
can see this as decomposing over the basis containing these minimal polynomials. 
As a consequence, the matrix of relations will be smaller, its number of columns 
being J2i '^i — (f 1^ instead of q^ . 

It is not difficult to adapt the incremental version of our algorithm to that case. 

Assuming all operations take place over Fg, we thus have a complexity for the 
relation step which is dominated by 

C = (n- iM{n) + M{h) logg) ) . 
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In the case where we take n ^ q'', this yields 

, ^2e 



Ce{h) 

Optimizing the value of n is still on-going work. 

7.3. Numerical example. Consider F75 = W'jIX]/ {X^ + X + 4) and a helper field 
F72. The decomposition base contains 7 polynomials of degree 1 and 21 of degree 
2, and its cardinality is 28. By Table [21 the probability of success is approximately 
0.217. Wc find for instance 

X'^°{X + 2,){X + A){X + 5)(X2 + X + 4) = G{X) := X'^^ - X mod Q{X). 

8. Numerical examples 

8.1. RSDL-FQ. We programmed RSDL-FQ in NTL 5.5.2 and made it run on an 
Intel Xeon CPU E5520 at 2.27GHz. We took p = 65537 and ran the program on 
several prime values of h (timings are in seconds rounded to the nearest integer) : 



h 


update 


EEA 


X* mod V 


roots 




linear algebra 


3 


67 


4 


4 


3 


27 


213 


5 


1297 


135 


104 


6 


28 


3398 


7 


53007 


8086 


5745 


8 


97 


124095 



Defining polynomials are: 



3, W^ + W-^i, W^ + W + ?,. 



For the last column, we indicate the size of the largest prime factor P oi — 1 
and the time needed to perform Gaussian inversion on the system modulo P (using 
Magma V2. 17-1 on the same machine). 

8.2. RSDL-HF. We programmed the collection phase RSDL-HF in NTL 5.5.2 
and made it run on an Intel Xeon CPU E5520 at 2.27GHz, collecting the v{X) 
unfactored. 

We took p — Z and ran the program on h — 29, with a helper field of degree 
e = 8 (timings are in seconds rounded to the nearest integer), and the defining 
polynomial is Q :— W^^ + -f 1. Another example is p = 101, h=\\ and e = 2. 
We also include an example over F2, and extension degree /i = 31, with e = 8. 



V 


h 


e 


update 


EEA 


X'i" mod V 


linear algebra 


2 


31 


8 


9 


271 


347 





3 


29 


8 


2255 


12456 


8036 


2 


101 


11 


2 


440 


816 


589 


100 



9. Concluding remarks 

Improvements can certainly be made to the present scheme to tackle more real- 
istic discrete logarithm computations. It seems valuable to have an approach not 
using smooth polynomials nor using too much algebraic factorizations in discrete 
logarithm computations. This sheds some light on the relationship between coding 
theory and classical problems in algorithmic number theory. 

Our investigations on the use of Reed-Solomon decoding for discrete logarithm 
computations have just begun. For the time being, the proposed approach seems to 
have a worse complexity than its competitor FFS. Many paths are still to follow. In 
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our setting, the use of so-called large primes is not clear. In our case, we can force 
them by trying to decode P{X)X''^ mod Q{X) for fixed P and hoping for several 
relations, but this does not seem to decrease the cost of the algorithm. 

Some other topics of research include the use of list decoding algorithms, variants 
of Reed-Solomon or more general codes. We could also dream of getting the best 
of the two worlds, for instance factoring our /^(X)'s to get more relations. All this 
is the subject of on-going work. 

Acknowledgments. Our thanks go to A. Bostan, E. Schost for answering our 
questions on computer algebra; M. Finiasz for helpful discussion, B. Smith for his 
careful reading of the manuscript. 
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